CVE-2025-13342: CWE-862 Missing Authorization in shabti Frontend Admin by DynamiApps
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
AI Analysis
Technical Summary
CVE-2025-13342 is a missing authorization vulnerability (CWE-862) in the Frontend Admin by DynamiApps WordPress plugin. The plugin fails to properly verify user capabilities before processing option changes in the ActionOptions::run() handler. This allows unauthenticated attackers to modify arbitrary WordPress options, including users_can_register, default_role, and admin_email, by sending crafted form submissions to publicly accessible frontend forms. The vulnerability affects all versions up to and including 3.28.20 and has a critical CVSS 3.1 base score of 9.8.
Potential Impact
Successful exploitation enables unauthenticated attackers to change critical WordPress configuration options. This can lead to unauthorized user registrations, privilege escalation by setting default roles, and potential disruption or redirection of administrative communications via admin_email modification. The impact affects confidentiality, integrity, and availability of the WordPress site.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the plugin's frontend forms if possible, and monitor for suspicious activity related to option changes. Avoid exposing the vulnerable plugin on publicly accessible sites or disable it if feasible.
CVE-2025-13342: CWE-862 Missing Authorization in shabti Frontend Admin by DynamiApps
Description
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13342 is a missing authorization vulnerability (CWE-862) in the Frontend Admin by DynamiApps WordPress plugin. The plugin fails to properly verify user capabilities before processing option changes in the ActionOptions::run() handler. This allows unauthenticated attackers to modify arbitrary WordPress options, including users_can_register, default_role, and admin_email, by sending crafted form submissions to publicly accessible frontend forms. The vulnerability affects all versions up to and including 3.28.20 and has a critical CVSS 3.1 base score of 9.8.
Potential Impact
Successful exploitation enables unauthenticated attackers to change critical WordPress configuration options. This can lead to unauthorized user registrations, privilege escalation by setting default roles, and potential disruption or redirection of administrative communications via admin_email modification. The impact affects confidentiality, integrity, and availability of the WordPress site.
Mitigation Recommendations
No official patch or fix is currently available as per the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the plugin's frontend forms if possible, and monitor for suspicious activity related to option changes. Avoid exposing the vulnerable plugin on publicly accessible sites or disable it if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-17T23:15:13.995Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69302ef1720cedca79452385
Added to database: 12/3/2025, 12:37:05 PM
Last enriched: 4/9/2026, 4:28:16 PM
Last updated: 5/9/2026, 8:38:00 PM
Views: 336
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.